Securing Serverless - By Breaking In
•
0 likes•448 views
Guy Podjarny breaks into a vulnerable serverless application and exploits multiple weaknesses, helping better understand some of the mistakes people make, their implications, and how to avoid them. Video available on: https://www.infoq.com/presentations/serverless-security-2017
Report
Share
Report
Share
Download to read offline
Recommended
Serverless Security: What's Left To Protect
Serverless means handing off server management to the cloud platforms – along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot.
This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe.
Required audience experience
Basic knowledge of how FaaS and Serverless works
Objective of the talk
As many companies explore the world of serverless, it’s important they understand the aspects of security this new world helps them with, and the ones they need to care more about. This talk will provide a framework to understand how to prioritise and approach security for Serverless apps.
Security Patterns for Microservice Architectures - London Java Community 2020
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
AWS live hack: Docker + Snyk Container on AWS
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
Stephen Sadowski - Securely automating infrastructure in the cloud
This document summarizes Stephen Sadowski's presentation on securely automating infrastructure in the cloud. It discusses the tools and processes they used, including Terraform for infrastructure as code, Chef for configuration management, GitLab for source control and access management, Jenkins for continuous integration/delivery, ELK for logging, Sensu for monitoring, and PagerDuty for alerting. It emphasizes treating infrastructure like code, minimum necessary access, and ensuring security is built into processes from the beginning through techniques like encryption, access control lists, and compliance testing.
Dev seccon london 2016 intelliment security
This document discusses writing firewall policies in application manifests from a DevSecOps perspective. It describes how defining network and security requirements as code can help automate infrastructure delivery and reduce bottlenecks. The presenter advocates applying a "shift left" paradigm to define requirements early. A demo is outlined showing how Puppet can be used to define an application's network visibility needs, which are then automatically validated and deployed to firewalls by Intelliment for consistent security compliance across teams.
Evaluating container security with ATT&CK Framework
Containers have been crucial in helping organizations orchestrate their infrastructure requirements. The scalability and reproducibility aspects of containerized environments have enabled applications and web components to be deployed seamlessly in the cloud. While containers have multiple benefits, they also come with distinct security issues, resulting in attackers gaining access to the container, the host, and eventually the data. The first step towards implementing Container Runtime Security is to understand the current threat scenarios and adversary trends affecting the cloud containers. To aptly evaluate the container threat landscape in any environment, an attack matrix should be formulated to ensure that relevant techniques and tactic are identified for every attack stage.
The ATT&CK framework from MITRE has been a go-to framework to formulate a threat matrix, identify an adversary’s tactics and methods/techniques used to attain their end game of privilege escalation or data exfiltration. This presentation is targeted towards:
Today’s container runtime security landscape
Apply ATT&CK methodology on the container runtime environment
Provide a practical approach towards attack surface, scenarios, and attack trends
Validations and Security Best Practices
AWS live hack: Atlassian + Snyk OSS on AWS
The document discusses securing modern applications in AWS. It begins with an overview of the risk profile of modern applications, noting that they often incorporate a large amount of open source code and are deployed rapidly using containers and infrastructure as code. It then demonstrates how to "live hack" an application running on AWS. Next, it discusses how Snyk can help prevent such exploits by empowering developers, automating fixes, and providing security throughout the entire codebase. It also outlines additional security practices like minimizing container footprints, using secrets safely, and implementing network policies. Finally, it promotes attending additional security sessions and provides references for further reading.
Elizabeth Lawler - Devops, security, and compliance working in unison
The document discusses improving security, compliance, and risk management through a DevSecOps approach. It outlines steps such as mapping compliance controls to infrastructure components, categorizing risks, describing controls and mitigations, testing controls, and communicating controls to stakeholders. Automating compliance checks and integrating security practices into development workflows are presented as ways to improve security, compliance, and speed of delivery simultaneously.
Recommended
Serverless Security: What's Left To Protect
Serverless means handing off server management to the cloud platforms – along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot.
This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe.
Required audience experience
Basic knowledge of how FaaS and Serverless works
Objective of the talk
As many companies explore the world of serverless, it’s important they understand the aspects of security this new world helps them with, and the ones they need to care more about. This talk will provide a framework to understand how to prioritise and approach security for Serverless apps.
Security Patterns for Microservice Architectures - London Java Community 2020
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
AWS live hack: Docker + Snyk Container on AWS
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
Stephen Sadowski - Securely automating infrastructure in the cloud
This document summarizes Stephen Sadowski's presentation on securely automating infrastructure in the cloud. It discusses the tools and processes they used, including Terraform for infrastructure as code, Chef for configuration management, GitLab for source control and access management, Jenkins for continuous integration/delivery, ELK for logging, Sensu for monitoring, and PagerDuty for alerting. It emphasizes treating infrastructure like code, minimum necessary access, and ensuring security is built into processes from the beginning through techniques like encryption, access control lists, and compliance testing.
Dev seccon london 2016 intelliment security
This document discusses writing firewall policies in application manifests from a DevSecOps perspective. It describes how defining network and security requirements as code can help automate infrastructure delivery and reduce bottlenecks. The presenter advocates applying a "shift left" paradigm to define requirements early. A demo is outlined showing how Puppet can be used to define an application's network visibility needs, which are then automatically validated and deployed to firewalls by Intelliment for consistent security compliance across teams.
Evaluating container security with ATT&CK Framework
Containers have been crucial in helping organizations orchestrate their infrastructure requirements. The scalability and reproducibility aspects of containerized environments have enabled applications and web components to be deployed seamlessly in the cloud. While containers have multiple benefits, they also come with distinct security issues, resulting in attackers gaining access to the container, the host, and eventually the data. The first step towards implementing Container Runtime Security is to understand the current threat scenarios and adversary trends affecting the cloud containers. To aptly evaluate the container threat landscape in any environment, an attack matrix should be formulated to ensure that relevant techniques and tactic are identified for every attack stage.
The ATT&CK framework from MITRE has been a go-to framework to formulate a threat matrix, identify an adversary’s tactics and methods/techniques used to attain their end game of privilege escalation or data exfiltration. This presentation is targeted towards:
Today’s container runtime security landscape
Apply ATT&CK methodology on the container runtime environment
Provide a practical approach towards attack surface, scenarios, and attack trends
Validations and Security Best Practices
AWS live hack: Atlassian + Snyk OSS on AWS
The document discusses securing modern applications in AWS. It begins with an overview of the risk profile of modern applications, noting that they often incorporate a large amount of open source code and are deployed rapidly using containers and infrastructure as code. It then demonstrates how to "live hack" an application running on AWS. Next, it discusses how Snyk can help prevent such exploits by empowering developers, automating fixes, and providing security throughout the entire codebase. It also outlines additional security practices like minimizing container footprints, using secrets safely, and implementing network policies. Finally, it promotes attending additional security sessions and provides references for further reading.
Elizabeth Lawler - Devops, security, and compliance working in unison
The document discusses improving security, compliance, and risk management through a DevSecOps approach. It outlines steps such as mapping compliance controls to infrastructure components, categorizing risks, describing controls and mitigations, testing controls, and communicating controls to stakeholders. Automating compliance checks and integrating security practices into development workflows are presented as ways to improve security, compliance, and speed of delivery simultaneously.
Why should developers care about container security?
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
Security in CI/CD Pipelines: Tips for DevOps Engineers
While DevOps is becoming a new norm for most of the companies, security is typically still behind. The new architectures create a number of new process considerations and technical issues. In this practical talk, we will present an overview of the practical issues that go into making security a part of DevOps processes. Will cover incorporating security into existing CI/CD pipelines and tools DevOps professionals need to know to implement the automation and adhere to secure coding practices.
Join Stepan Ilyin, Chief Product Officer at Wallarm for an engaging conversation where you’ll learn:
Methodologies and tooling for dynamic and static security testing
Composite and OSS license analysis benefits
Secrets and analysis and secrets management approaches in distributed applications
Security automation and integration in CI/CD
Apps, APIs and workloads protection in cloud-native K8s enabled environments
The Future of Security and Productivity in Our Newly Remote World
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Henrique Dantas - API fuzzing using Swagger
The document discusses API security testing using Swagger specifications. It notes that APIs are good targets for security testing due to their closeness to databases and ubiquity. The solution presented involves automating security testing of APIs by leveraging existing Swagger specifications in a Python library, which allows for extensive and extendible fuzzing of APIs while integrating results and providing reports. The library uses the popular Swagger and Sulley tools for fuzzing.
360° Kubernetes Security: From Source Code to K8s Configuration Security
Kubernetes has become the default way for many organizations to scale and orchestrate their use of containers. However, organizations are starting to find themselves needing to take the necessary steps to protect their containers. Automating security checks throughout the development life cycle can help reduce risk and allow organizations to develop and deploy securely.
Join Shiri Ivstan, Senior Product Manager at WhiteSource and Yaniv Peleg Tsabari, Senior Director of Product Management at Alcide, as they explore the world of security in Kubernetes and discuss:
The security risks associated with open-source code and Kubernetes environments
Supply Chain: Continuous Security throughout the CI/CD pipeline
Security aspects throughout the development cycle, such as Image Scanning, Image Assurance, K8s Configuration hygiene and more.
How to automate policies with respect to the above techniques throughout the CI/CD pipeline in order to facilitate more secure application deployments.
Lacework | Top 10 Cloud Security Threats
James Condon presented the top 10 threats to cloud security. These included cryptojacking, data leaks from misconfigurations, SSH brute force attacks, data exfiltration by advanced persistent threats, malware like ransomware and coin miners, remote code execution from vulnerabilities, container escapes, server compromises, and malicious insiders. Mitigations involved visibility, access controls, patching, monitoring, and security best practices.
Alfredo Reino - Monitoring aws and azure
This document provides an overview of monitoring Azure and AWS cloud environments. It discusses why monitoring is important for threat detection, hunting and response. It outlines what aspects should be monitored, including operating systems, applications, network traffic, and cloud service logs. Specific AWS and Azure monitoring options are described, such as CloudTrail, VPC Flow Logs, and Azure Audit Logs. Integrating cloud logs with SIEMs and threat intelligence feeds is also covered. Endpoint monitoring tools are suggested to record process, file, registry and network activity on virtual machines.
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework's Dir. of Research's presentation from DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty
AllDayDevOps 2019 AppSensor
Modern applications can protect themselves from attackers by incorporating runtime monitoring capabilities. The OWASP AppSensor project aims to make intrusion detection primitives available within applications so they can detect attacks and automatically respond before an attacker succeeds. It works by collecting event data from applications and analyzing them for attacks using configurable rules. This allows applications to become self-defending by detecting and stopping attackers without needing manual responses.
All Your Containers Are Belong To Us
Lacework Head of Research James Condon's BSidesSF19 presentation "All Your Containers Are Belong To Us."
Aleksei Dremin - Application Security Pipeline - phdays9
This document discusses setting up an application security pipeline for continuous integration and delivery (CI/CD). It recommends using static application security testing (SAST) tools, dependency checkers, source code scanners, dynamic application security testing (DAST) tools, and integrating them with Jenkins. It also suggests managing vulnerabilities and results in DefectDojo and notifying stakeholders of new findings through integration with communication tools like Slack. The document stresses the importance of educating developers on security best practices.
DevSecOps | DevOps Sec
DevSecOps enables organizations to deliver secure software at DevOps speed.
Development - Software releases and updates
Operations - Reliability Performance & Scaling
Security - Confidentiality, Availability, Integrity
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
This document provides an overview of automated end-to-end security for AWS. It discusses how the majority of compromises are due to credentials being compromised, failure to patch security flaws, insider threats, or human error. An example compromise is described where a developer at a company accidentally committed SSH keys to GitHub, allowing a hacker to access servers and exfiltrate customer data, resulting in a $148 million settlement. The document then outlines how Lacework can help secure workloads, containers, configuration, AWS accounts, and provide continuous auditing and compliance.
Hacking into your containers, and how to stop it!
This document discusses hacking into containers and how to stop it. It begins with an overview of increased security responsibilities for developers as containers add operating system level concerns. It then demonstrates hacking techniques and defenses that can be used in depth, such as minimizing images, not running as root, read only root filesystems, secrets management, and network policies. Key takeaways are that fast security feedback is important for developers and implementing known secure practices for building and running containers can help mitigate vulnerabilities.
Secure Your Code Implement DevSecOps in Azure
What is Dev{Sec}Ops ?
• DevSecOps in GitHub & Demos
• DevSecOps in Azure
• 3rd Party DevSecOps Tools
• DEMO : Implement Security in Azure DevOps CI/CD
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework's Head of Research's presentation from BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework Kubernetes Meetup | August 28, 2018
The document discusses container and cloud security. It describes Lacework's Polygraph security platform, which provides threat intelligence, detection, visibility, and alerting capabilities across cloud infrastructure, workloads, accounts, VMs, containers and files. It highlights risks like container escapes and privilege escalation. The document also provides examples of container security threats like the Healthz RCE vulnerability and recommendations like implementing multi-factor authentication, pod security policies, and restricting privileges.
DevSecOps in Baby Steps
The document discusses adopting a DevSecOps approach to security by starting small with baby steps. It recommends making security part of the development team's job, hardening the development toolchain, planning security-focused epics and user stories, and implementing them in sprints to continuously improve security.
You Build It, You Secure It: Introduction to DevSecOps
In this presentation, DevOps and DevSecOps expert John Willis dives into how to implement DevSecOps, including:
- Why traditional DevOps has shifted and what this shift means
- How DevSecOps can change the game for your team
- Tips and tricks for getting DevSecOps started within your organization
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
Serverless Security: What's Left to Protect?
Slides from my ServerlessConf Austin 2017.
Serverless means handing off server management to the cloud platforms - along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect?
As it turns out, quite a lot. This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe
Secure Node Code (workshop, O'Reilly Security)
Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.
More Related Content
What's hot
Why should developers care about container security?
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
Security in CI/CD Pipelines: Tips for DevOps Engineers
While DevOps is becoming a new norm for most of the companies, security is typically still behind. The new architectures create a number of new process considerations and technical issues. In this practical talk, we will present an overview of the practical issues that go into making security a part of DevOps processes. Will cover incorporating security into existing CI/CD pipelines and tools DevOps professionals need to know to implement the automation and adhere to secure coding practices.
Join Stepan Ilyin, Chief Product Officer at Wallarm for an engaging conversation where you’ll learn:
Methodologies and tooling for dynamic and static security testing
Composite and OSS license analysis benefits
Secrets and analysis and secrets management approaches in distributed applications
Security automation and integration in CI/CD
Apps, APIs and workloads protection in cloud-native K8s enabled environments
The Future of Security and Productivity in Our Newly Remote World
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Henrique Dantas - API fuzzing using Swagger
The document discusses API security testing using Swagger specifications. It notes that APIs are good targets for security testing due to their closeness to databases and ubiquity. The solution presented involves automating security testing of APIs by leveraging existing Swagger specifications in a Python library, which allows for extensive and extendible fuzzing of APIs while integrating results and providing reports. The library uses the popular Swagger and Sulley tools for fuzzing.
360° Kubernetes Security: From Source Code to K8s Configuration Security
Kubernetes has become the default way for many organizations to scale and orchestrate their use of containers. However, organizations are starting to find themselves needing to take the necessary steps to protect their containers. Automating security checks throughout the development life cycle can help reduce risk and allow organizations to develop and deploy securely.
Join Shiri Ivstan, Senior Product Manager at WhiteSource and Yaniv Peleg Tsabari, Senior Director of Product Management at Alcide, as they explore the world of security in Kubernetes and discuss:
The security risks associated with open-source code and Kubernetes environments
Supply Chain: Continuous Security throughout the CI/CD pipeline
Security aspects throughout the development cycle, such as Image Scanning, Image Assurance, K8s Configuration hygiene and more.
How to automate policies with respect to the above techniques throughout the CI/CD pipeline in order to facilitate more secure application deployments.
Lacework | Top 10 Cloud Security Threats
James Condon presented the top 10 threats to cloud security. These included cryptojacking, data leaks from misconfigurations, SSH brute force attacks, data exfiltration by advanced persistent threats, malware like ransomware and coin miners, remote code execution from vulnerabilities, container escapes, server compromises, and malicious insiders. Mitigations involved visibility, access controls, patching, monitoring, and security best practices.
Alfredo Reino - Monitoring aws and azure
This document provides an overview of monitoring Azure and AWS cloud environments. It discusses why monitoring is important for threat detection, hunting and response. It outlines what aspects should be monitored, including operating systems, applications, network traffic, and cloud service logs. Specific AWS and Azure monitoring options are described, such as CloudTrail, VPC Flow Logs, and Azure Audit Logs. Integrating cloud logs with SIEMs and threat intelligence feeds is also covered. Endpoint monitoring tools are suggested to record process, file, registry and network activity on virtual machines.
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework's Dir. of Research's presentation from DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty
AllDayDevOps 2019 AppSensor
Modern applications can protect themselves from attackers by incorporating runtime monitoring capabilities. The OWASP AppSensor project aims to make intrusion detection primitives available within applications so they can detect attacks and automatically respond before an attacker succeeds. It works by collecting event data from applications and analyzing them for attacks using configurable rules. This allows applications to become self-defending by detecting and stopping attackers without needing manual responses.
All Your Containers Are Belong To Us
Lacework Head of Research James Condon's BSidesSF19 presentation "All Your Containers Are Belong To Us."
Aleksei Dremin - Application Security Pipeline - phdays9
This document discusses setting up an application security pipeline for continuous integration and delivery (CI/CD). It recommends using static application security testing (SAST) tools, dependency checkers, source code scanners, dynamic application security testing (DAST) tools, and integrating them with Jenkins. It also suggests managing vulnerabilities and results in DefectDojo and notifying stakeholders of new findings through integration with communication tools like Slack. The document stresses the importance of educating developers on security best practices.
DevSecOps | DevOps Sec
DevSecOps enables organizations to deliver secure software at DevOps speed.
Development - Software releases and updates
Operations - Reliability Performance & Scaling
Security - Confidentiality, Availability, Integrity
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
This document provides an overview of automated end-to-end security for AWS. It discusses how the majority of compromises are due to credentials being compromised, failure to patch security flaws, insider threats, or human error. An example compromise is described where a developer at a company accidentally committed SSH keys to GitHub, allowing a hacker to access servers and exfiltrate customer data, resulting in a $148 million settlement. The document then outlines how Lacework can help secure workloads, containers, configuration, AWS accounts, and provide continuous auditing and compliance.
Hacking into your containers, and how to stop it!
This document discusses hacking into containers and how to stop it. It begins with an overview of increased security responsibilities for developers as containers add operating system level concerns. It then demonstrates hacking techniques and defenses that can be used in depth, such as minimizing images, not running as root, read only root filesystems, secrets management, and network policies. Key takeaways are that fast security feedback is important for developers and implementing known secure practices for building and running containers can help mitigate vulnerabilities.
Secure Your Code Implement DevSecOps in Azure
What is Dev{Sec}Ops ?
• DevSecOps in GitHub & Demos
• DevSecOps in Azure
• 3rd Party DevSecOps Tools
• DEMO : Implement Security in Azure DevOps CI/CD
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework's Head of Research's presentation from BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework Kubernetes Meetup | August 28, 2018
The document discusses container and cloud security. It describes Lacework's Polygraph security platform, which provides threat intelligence, detection, visibility, and alerting capabilities across cloud infrastructure, workloads, accounts, VMs, containers and files. It highlights risks like container escapes and privilege escalation. The document also provides examples of container security threats like the Healthz RCE vulnerability and recommendations like implementing multi-factor authentication, pod security policies, and restricting privileges.
DevSecOps in Baby Steps
The document discusses adopting a DevSecOps approach to security by starting small with baby steps. It recommends making security part of the development team's job, hardening the development toolchain, planning security-focused epics and user stories, and implementing them in sprints to continuously improve security.
You Build It, You Secure It: Introduction to DevSecOps
In this presentation, DevOps and DevSecOps expert John Willis dives into how to implement DevSecOps, including:
- Why traditional DevOps has shifted and what this shift means
- How DevSecOps can change the game for your team
- Tips and tricks for getting DevSecOps started within your organization
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
What's hot (20)
Why should developers care about container security?
Why should developers care about container security?
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
Similar to Securing Serverless - By Breaking In
Serverless Security: What's Left to Protect?
Slides from my ServerlessConf Austin 2017.
Serverless means handing off server management to the cloud platforms - along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect?
As it turns out, quite a lot. This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe
Secure Node Code (workshop, O'Reilly Security)
Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.
AusCERT - Developing Secure iOS Applications
Michael Gianarakis' presentation discusses developing secure iOS applications. It provides an overview of the iOS application attack surface and common security issues. It outlines secure design principles such as not trusting the client/runtime, understanding the app's risk profile, implementing anti-debugging controls, jailbreak detection, and address space validation. The presentation aims to help developers design apps that are secure against common attacks.
Securing Serverless by Breaking in
Guy Podjarny from Snyk gave a presentation on securing serverless applications. He demonstrated vulnerabilities in a sample serverless app and how to fix them. The main security issues discussed were vulnerable dependencies, denial of service attacks from regular expression denial of service (ReDoS) vulnerabilities, secrets in code, granular permissions and functions, and immutable servers being reused. Podjarny emphasized testing for vulnerabilities, using key management systems, deploying narrowly-scoped functions, and monitoring functions over time.
Proactive Security AppSec Case Study
Automating your way to Proactive Application Security
Andy Hoernecke
AppSec Engineer
Netflix
OWASP Atlanta
4/21/2016
Application security meetup k8_s security with zero trust_29072021
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
(SEC202) Best Practices for Securely Leveraging the Cloud
Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity.
In this session we will cover:
Key market drivers and advantages for leveraging cloud architectures.
Foundational design principles to guide strategy for securely leveraging the cloud.
The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid.
Real-world customer insights from organizations who have successfully adopted the ""Defense in Depth"" approach.
Session sponsored by Sumo Logic.
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/softwareMicroservices and Devs in Charge: Why Monitoring is an Analytics Problem
Presented at GlueCon 2015.
This presentation discusses SignalFx CTO and co-founder Phillip Liu's experience operating infrastructure and apps at massive scale and what drove the realization that monitoring is fundamentally an analytics problem now. Following on the heels of Adrian Cockroft's keynote that morning, Monitoring Microservices and Containers, this presentation went over real world examples of how modern monitoring for microservices wroks.
Why monitoring is an analytics problem
SignalFx uses an analytics approach to monitoring microservices. They instrument each microservice to collect metrics and log exceptions. All data is sent to an analytics service for analysis and detection of issues. For example, when a code push caused unexpected timeouts in an upstream service, SignalFx was able to quickly identify the outlier service through exception analysis, narrow down the problem to a specific exception, and find the root cause in just 15 minutes. Their analytics approach helps reduce mean time to resolution compared to traditional monitoring.
Runtime Analysis on Mobile Applications (February 2017)
The Need for a More Effective Penetration Test” Generally, reviewing a mobile application for security vulnerabilities include areas such as local storage, cryptographic usage, mobile traffic analysis, black box static analysis, etc. The methods and tools which are typically used to conduct these reviews are outdated, difficult to properly configure and/or use, and in many instances provide an incomplete picture. The easiest way sometimes would be to review the application while it is running, as it would provide a better understanding of the application’s behavior. However, debugging tools such as “gdb”, “jdb/jdwp”, and “adb” require significant manual time to analyze the application. And if we have to change the application’s normal behavior for bypassing any security controls, we have to decompile the application, edit the code, and rebuild the application. In this presentation, we will understand more effective methods of conducting runtime analysis on both iOS and Android applications, utilizing tools which monitor runtime behavior. We will also cover how hooking/runtime tools like “cycript” and “MobileSubstrate” work, and briefly discuss how these can be used to bypass controls such as built-in application safeguards, jailbreak detection, and certificate pinning. In addition, we will also discuss venues of attack vectors which may open up while testing the application at runtime. We will aim to deduce that, by including runtime analysis as part of our penetration testing methodology, we will save time while performing it more effectively.
Introduction to Android Development and Security
This document provides an introduction to Android development and security. It begins with a brief history of Android and overview of its architecture. It then discusses the Android development environment and process, including key tools and frameworks. It also outlines Android security features like application sandboxing, permissions, and encryption. Finally, it introduces a series of Android security labs that demonstrate exploits like parameter manipulation, insecure storage, and memory attacks. The goal is to provide hands-on examples of common Android vulnerabilities.
Laying the Foundation for Ionic Platform Insights on Spark
The document discusses Ionic Security's use of Spark and Databricks to enable low-cost and flexible reporting from their transaction log data. Some key goals were reducing costs from their previous Elasticsearch solution, enabling quick development of domain-specific reports, and laying the foundation for advanced analytics. They built a Scala Spark job that ingests log data from S3 and runs configurable report queries to output results. This allows flexible querying while keeping costs low. Lessons learned included benefits of Scala for Spark development but its learning curve, advantages of a single uber jar workflow, and pushing complex logic into Spark user-defined functions.
Wahckon[2] - iOS Runtime Hacking Crash Course
This document provides an introduction to runtime hacking on iOS. It discusses setting up the environment, mapping out an application by decrypting and dumping binaries to obtain class information. It then covers techniques for dumping and modifying variables at runtime like retrieving sensitive user data. Methods for manipulating functions are also presented, such as bypassing authentication or jailbreak detection. Persistence techniques like injecting libraries are explained. Finally, it addresses considerations for hacking Swift applications. The overall goal is to quickly get people up to speed on runtime analysis and manipulation of third-party iOS apps.
AWS Loft Talk: Behind the Scenes with SignalFx
Slides from SignalFx CTO Phillip Liu's presentation at the AWS Loft in SF after DockerCon: Behind the Scenes with SignalFx.
Phil discussed how SignalFx deploys, runs, and operates a completely Dockerized microservices architecture for a production SaaS application dealing with large volumes of high resolution customer data.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Tizen is an open source operating system that can run on various devices including smart TVs and IoT devices. It uses a security model that isolates applications using SMACK mandatory access control and enforces content security policies for web applications. The presentation discusses hacking techniques tested against Tizen like exploiting shellshock vulnerabilities, bypassing address space layout randomization protections, and circumventing content security policies. It also provides an overview of methodologies for analyzing Tizen application security like static analysis of manifest and configuration files, decompiling native applications, and network analysis using a proxy. Overall the presentation evaluates the security of Tizen and highlights some implementation issues found.
Stranger Danger (NodeSummit, 2016)
npm packages are awesome, but also introduce risk.
This presentation explains how packages may introduce known vulnerabilities into your application, explains their impact, and most importantly, shows how to protect yourself.
The few slides were complemented by running several vulnerability exploits against the vulnerable demo app Goof from here: https://github.com/Snyk/goof
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
The document provides an overview of a workshop on practical Android application exploitation. The workshop aims to teach skills for performing reverse engineering, static and dynamic testing, and binary analysis of Android applications. It will use demonstrations and hands-on exercises with custom applications like InsecureBankv2. The workshop focuses on discovery and remediation, targeting intermediate to advanced skill levels. It will cover tools, techniques, and common vulnerabilities to exploit Android applications.
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023
APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media
May 16 & 17, 2023
Putting yourself out there - how to secure your public APIs
Dan Erez, Architecture Team Lead at AT&T
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Similar to Securing Serverless - By Breaking In (20)
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
(SEC202) Best Practices for Securely Leveraging the Cloud
(SEC202) Best Practices for Securely Leveraging the Cloud
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Microservices and Devs in Charge: Why Monitoring is an Analytics Problem
Microservices and Devs in Charge: Why Monitoring is an Analytics Problem
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
More from Guy Podjarny
Stranger Danger: Securing Third Party Components (Tech2020)
Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
High Performance Images: Beautiful Shouldn't Mean Slow (Velocity EU 2015)
The web is becoming increasingly image rich. Between high-resolution mobile screens, Pinterest-style design, and big background graphics, the average image payload has more than doubled in the last three years. While visually appealing, these images carry a substantial performance cost, and — if not optimized correctly — can make a web experience slow and painful, no matter how beautiful it is.
In this tutorial we’ll discuss ways that let you provide the eye-pleasing experience you want without sacrificing your site’s performance.You’ll learn about the three primary aspects of image optimization:
- Image compression: how to best encode your images, delivering the same picture with the fewest bytes
- Image loading: once your files are as small as they can be, we’ll cover the best ways to make them show up quickly in the browser
- Operationalizing image optimization: different tools and techniques for integrating image optimization on your site
Talk given at Velocity Conf EU 2015: http://velocityconf.com/devops-web-performance-eu-2015/public/schedule/detail/45013
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.
If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.
This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
High Performance Images: Beautiful Shouldn't Mean Slow
(slides from the O'Reilly webcast, see recording here: http://www.oreilly.com/pub/e/3425)
The web is becoming increasingly image rich. Between high-resolution mobile screens, Pinterest-style design and big background graphics, the average image payload has more than doubled in the last three years. While visually appealing, these images carry a substantial performance cost, and — if not optimized correctly — can make a web experience slow and painful, no matter how beautiful it is.
These slides discuss how you can provide the eye-pleasing experience you want without sacrificing your site's performance. You'll learn about the three primary aspects of image optimization:
Image Compression: How to best encode your images, delivering the same picture with the fewest bytes.
Image Loading: Once your files are as small as they can be, we'll cover the best ways to make them show up quickly in the browser.
Image Operations: Different tools and techniques for integrating image optimization on your site.
Responsive In The Wild, 2014
Slides from my Web Directions South 2014 Talk.
Abstract:
Responsive Web Design (RWD) is upon us, and it seems like every website has either gone responsive or planning to do so. And in this rush to implement – performance is left behind…
Last November (2013), I ran a test identifying the responsive websites amongst the top 10,000 sites, and inspected their performance traits. The results were depressing, showing many sites have gone responsive, and hardly any tackled performance.
In this talk, we’ll track the progress (or lack there of) we made as an industry. We’ll look at the results of a new test, tracking our progress in adopting RWD and – more importantly – in addressing its performance implications. We’ll share high level stats, highlight key trends, drill into representative examples, and come away with a better understanding of what we should be doing better, both on our own sites and as an industry
Third Party Performance (Velocity, 2014)
Third party components are a part of any modern site: JS libs, analytics, trackers, share buttons, ads. Many components, each adding its performance cost, cause render delays or can effectively take your site down. This isn’t your code nor your servers, so what can you do about it?
This presentation will answer this question with strategies and tactics for keeping 3rd parties from taking you down.
This talk was given at Velocity Santa Clara, 2014: The presentation from Velocity Santa Clara, 2014 (http://velocityconf.com/velocity2014/public/schedule/detail/35448).
Rules driven-delivery
This document discusses how a URL is no longer sufficient for content delivery given modern dynamic web pages. It proposes implementing "rules driven delivery" where delivery definitions are structured as reusable, hierarchical rules that define criteria for when to apply delivery behaviors. These rules would be pushed to CDN edges to enable offloading and improve performance over simply relying on URLs and caching. Examples of rules provided include redirecting mobile users, image format negotiation based on Accept headers, and granular caching based on request header values. The goal is more flexible content delivery and caching optimized for a wide variety of dynamic web page scenarios.
Responsive In The Wild (SmashingConf, 2014)
Awareness to Responsive Web Design has grown substantially over the last few years, and practically any major organization has some RWD project in their Mobile Strategy decks. However, are we just talking about it, or actually doing it?
I ran a mass test to identify the responsive websites amongst the top 100,000 websites in the world. Eventually, we'll be able to rerun this test to track RWD adoption over time, but for now we can use it to see how RWD sites compare to each other and to non-RWD sites.
This short presentation, given over beers at the awesome SmashingConf, shares some such insights.
A (slightly smaller) but more detailed description of the test can be found here: www.guypo.com/mobile/roughly-1-in-8-websites-is-responsive/
Putting Your Images on a Diet (SmashingConf, 2014)
Images are quickly becoming one of the most critical factors for web performance. On one hand, users are demanding more visual websites, driving an increase in the number of images on a page and making background images cool again. On the other hand, technology trends such as Retina displays and RWD are making it much harder to choose the right image to download at any given time, avoiding the download of excess bytes.
In this talk, I go over what you can do to maximize the impact of every image byte. I explain the concept of Image Compression, understand how it applies to different image formats, and show the tools and techniques you should use to communicate the best visuals with the fewest bytes. Lastly, I show how to combine image compression and Retina displays, and discuss some newer image formats and how you can take advantage of them today
Third party-performance (Airbnb Nerds, Nov 2013)
Almost every site on the internet today serves 3rd-party assets and code - jQuery, analytics, trackers, share buttons, ads - from both their own servers and others - cloud providers, dedicated hardware, CDNs, google hosting. These third parties can have a significant effect on performance, delaying the load event, deferring actions, and being a single point of failure beyond your control. This deck discusses techniques and strategies for working with 3rd parties within these limitations, and shares some relevant community work.
Third Party Performance
Third parties are a part of our reality, and offer great business value - but also present some very real performance concerns.
This deck attempts to define and offer strategies, along with some practical tips, on how to deal with this problem.
A Picture Costs A Thousand Words
Images seem simple - they're static, independent from each other, and don't mess up the DOM. However, images make up 60%-70% of page bytes, and their visual nature makes them critical for user experience. Investing in Image Optimization is a highly worthwhile investment.
This presentation covers 4 aspects of Image Optimization:
- Optimizing Image formats (including background on GIF, PNG, JPEG, WebP, JPEG XR and more)
- Optimizing image delivery
- Optimizing image loading in the page
- Responsive Images - optimizing images for mobile screens
Step by Step Mobile Optimization
(A presentation given at Velocity Conference, London 2012)
Mobile Optimization is complicated, and there’s no single silver bullet. Many different bottlenecks take their toll along the way, and while some have a huge impact, others still add up. In this presentation, we’ll take a website and optimize it step by step. In each step we’ll touch on a problem, discuss how to solve it – perhaps in multiple ways – and show the effect of the solution. In the process, we’ll also touch on topics such as measuring mobile performance, differences between browsers, and which pitfalls are common
Quantifying The Mobile Difference
We all know Mobile is different, but by how much?
This presentation attempts to quantify the difference between mobile and non-mobile, focusing on CPU, network and browser differences.
Performance Implications of Mobile Design (Perf Audience Edition)
(This version of the presentation is oriented at a web performance audience, and includes some mobile design 101 content)
Mobile Web Design is complicated, and several design paradigms have been created to help deal with the challenges the mobile landscape creates.
Amongst other implications, each paradigm also carries its own performance pitfalls, which can turn a well designed site into a horribly slow user experience.
This presentation covers the top design paradigms - Dedicated Websites (mdot) and Responsive Web Design, gives some background on each, and digs into the performance do's and don'ts for your design of choice.
Performance Implications of Mobile Design
Choosing your mobile design paradigm is hard, and performance is an often overlooked parameter in this decision process.
This presentation discusses the top performance concerns for the top mobile design paradigms - Dedicated Sites (mdot) and Responsive Web Design (RWD).
Presented at Breaking Dev (bdconf) in April, 2012.
Unravelling Mobile Web Performance
The Mobile Web is a complicated beast, making Mobile Web Performance a tough problem to tackle. Is an iPad on WiFi a part of the Mobile Web? How about a laptop with a 3G stick?
This presentation tries to split the Mobile Web into three categories, to make it more manageable: Network, Software & Hardware. For each, it reviews the performance challenges this category entails, and offers possible solutions to those challenges.
A recording of this presentation (with audio) is available here: http://vimeo.com/32917131
State Of Mobile Web Performance
Presentation from 17/3/2011 at the NY Web Performance Chapter about the iPhone/Android Comparison Study by Blaze.io (http://www.blaze.io), presented by Guy Podjarny
More from Guy Podjarny (18)
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
High Performance Images: Beautiful Shouldn't Mean Slow (Velocity EU 2015)
High Performance Images: Beautiful Shouldn't Mean Slow (Velocity EU 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
High Performance Images: Beautiful Shouldn't Mean Slow
High Performance Images: Beautiful Shouldn't Mean Slow
Putting Your Images on a Diet (SmashingConf, 2014)
Putting Your Images on a Diet (SmashingConf, 2014)
Performance Implications of Mobile Design (Perf Audience Edition)
Performance Implications of Mobile Design (Perf Audience Edition)
Recently uploaded
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications.
Full-RAG: A modern architecture for hyper-personalization
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Climate Impact of Software Testing at Nordic Testing Days
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentationsGraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
A tale of scale & speed: How the US Navy is enabling software delivery from l...
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Pushing the limits of ePRTC: 100ns holdover for 100 days
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
ここ3000字までしか入らないけどタイトルの方がたくさん文字入ると思います。
“I’m still / I’m still / Chaining from the Block”
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
20240605 QFM017 Machine Intelligence Reading List May 2024
Everything I found interesting about machines behaving intelligently during May 2024
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
UiPath Test Automation using UiPath Test Suite series, part 6
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...Edge AI and Vision Alliance
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.Recently uploaded (20)
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Securing Serverless - By Breaking In
- 1. snyk.io Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod
- 2. snyk.io About Me • Guy Podjarny, @guypod on Twitter • CEO & Co-founder at Snyk • History: • Cyber Security part of Israel Defense Forces • First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan) • Security: Worked in Sanctum -> Watchfire -> IBM • Performance: Founded Blaze -> CTO @Akamai • O’Reilly author, speaker
- 3. snyk.io Serverless Security: The Theory (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
- 4. snyk.io Today - straight to practice!
- 5. snyk.io Agenda • Show a demo serverless app • Hack it • Explain the security flaws and how to fix them • Summary • Q&A
- 8. snyk.io Example: Fetch file & store in s3 (Serverless Framework Example) 19 Lines of Code 2 Direct dependencies 19 dependencies(incl. indirect) 191,155 Lines of Code
- 9. snyk.io
- 10. snyk.io Serverless does secure OS dependencies Just not app dependencies
- 11. snyk.io 1. Beware Vulnerable Libraries (test during dev, monitor over time)
- 12. snyk.io Side Note: Snyk isn’t only for Serverless
- 14. snyk.io 2. ReDoS can still be costly (won’t take you down, but can hike up bill)
- 15. snyk.io Beware Resource Exhaustion Attacks Not all your services elastically scale
- 16. snyk.io Secrets
- 17. snyk.io 3. Avoid secrets in deployed code (env variables aren’t enough - Use a KMS!)
- 18. snyk.io Serverless platforms offer a Key Management System Just use it!
- 20. snyk.io 4. Deploy granular functions (shared function code = greater exposure)
- 21. snyk.io AWS Security Policy Easier Policy 3Policy 2 Policy 1 Safer
- 23. snyk.io 5. Use Granular Policies (only allow each function its minimum permissions)
- 24. snyk.io A function is a perimeter That needs to be secured Perimeter Perimeter Perimeter Perimeter Perimeter
- 26. snyk.io 6. Don’t rely on immutability (Lambda - and others - reuse servers)
- 27. snyk.io Serverless user is typically Low Privilege Reducing impact substantially, but not eliminating it
- 28. snyk.io 7. Worry about all functions (Every available function increases your attack surface)
- 29. snyk.io Summary 1. Beware vulnerable libraries 2. ReDoS can still be costly 3. Avoid secrets in deployed code 4. Deploy granular functions 5. Use Granular Permissions 6. Don’t rely on immutability 7. Worry about all functions
- 30. snyk.io Serverless Security: The Theory (talk from ServerlessConf) https://www.youtube.com/watch?v=CiyUD_rI8D8 https://www.infoq.com/articles/serverless-security
- 31. snyk.io Serverless is defined now. Let’s build Security in. Thank You! Guy Podjarny, Snyk @guypod